contadores de paginas web Saltar al contenido

Stealing Facebook passwords with in-app iframes


Today read in F-Secure a note about phishing that takes advantage of iframes in applications to load fake pages:

In the previous capture taken by F-Secure you can see the Phishing page loaded into Facebook, at first glance it is not noticeable except for the detail of being an application (

Is a simple but very effective attack if accompanied with social engineer. In this case the victims are tricked with a suspicious activity warning to confirm the account details, if they do they will actually be sending the information to cyber criminals which they will then sell or use to send spam.

I've been doing some searching and there's many apps that are stealing passwords with frames:

site: account security

Some of the fraudulent applications that appear in the results have already been removed, but others are still active such as the following:

The form is loaded using an iframe:

Application source code

In the source code you can see that the page displayed is under a .tk domain. This is the phishing page shown in the Facebook application:

This in turn loads its content from another page that is the one that actually contains the false form:

Why a double charge? It may make it easier for you to create fraudulent pages under different .tk domains, because if you unsubscribe or block some, the form that steals the data is kept online and working for other domains.

The fact that frames can be used in applications is questioned a lot since it is something that allows you to load any kind of code. As I said at the beginning, it is a simple but very effective attack, victims may believe that Facebook is requesting the data.

Both fake sites discussed in the post have already been reported in Phishtank and are blocked by browsers. If you access the application page, a warning is currently displayed (example with Firefox):

Applications can also be reported from their respective pages.

See also: PhishTank, a service to report phishing. Report phishing from Gmail, Hotmail, Firefox and Internet Explorer.